Wireshark-dev: Re: [Wireshark-dev] changing the time

From: Martin Mathieson <martin.r.mathieson@xxxxxxxxxxxxxx>
Date: Thu, 31 Jan 2013 09:58:20 +0000
I don't know if overriding the time is a good idea - but I'm not sure what would go wrong.

You can add any field as a column by right-clicking on the field and choosing 'Apply as Column'.  I do this with the log files my company uses - we have a timestamp field in our file format that ends up being dissected (see hf_catapult_dct2000_timestamp in packet-catapult-dct2000.c).

I find it tedious to try to analyse a file that is not in the correct order though, and it can interfere with sequence analysis that dissectors can do.  If it is easy to find/parse the timestamp, I would consider writing a console wiretap program, based upon reordercap, that would:
- read the frames in, but overwriting the timestamp with a value derived from the timestamp parsed from your frames
- sort the frames by this timestamp
- write sorted frames to an output file

Of course, I don't really know what you are doing, and whether seeing the original capture time is also useful....

Martin

On Thu, Jan 31, 2013 at 5:42 AM, Natalie Shapira <nd1234@xxxxxxxxx> wrote:

Thanks.

Eventually I override
pinfo->fd->rel_ts
pinfo->fd->del_dis_ts

It looks good.

If I would have problems again, I will create separate column.
BTW, can you think about dissector who did it (adding column)? so I could use it as an example..
Natalie.


On Wed, Jan 30, 2013 at 2:44 PM, Evan Huus <eapache@xxxxxxxxx> wrote:
You can add the new timestamp as a regular dissected field. Wireshark
allows you to create columns out of arbitrary fields in dissected
packets.

Cheers,
Evan

On Wed, Jan 30, 2013 at 4:51 AM, Natalie Shapira <nd1234@xxxxxxxxx> wrote:
> Anyway, you gave me other idea. What about making new column of my_timestamp
> and sort by that column... Do I have the ability to add a new column from a
> dissector?
>
> On Wed, Jan 30, 2013 at 11:46 AM, Natalie Shapira <nd1234@xxxxxxxxx> wrote:
>>
>> I have no choice. It's a workaround for a hardware bug.
>>
>> On Wed, Jan 30, 2013 at 11:05 AM, Anders Broman
>> <anders.broman@xxxxxxxxxxxx> wrote:
>>>
>>> Hi,
>>> Those are the timestamps of packet arrival there should be no need to
>>> change them from a dissector - sounds like a bad idea to me.
>>> Regards
>>> Anders
>>>
>>> ________________________________
>>> From: wireshark-dev-bounces@xxxxxxxxxxxxx
>>> [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Natalie Shapira
>>> Sent: den 30 januari 2013 09:16
>>> To: wireshark-dev@xxxxxxxxxxxxx
>>> Subject: [Wireshark-dev] changing the time
>>>
>>>
>>> Hi everybody,
>>>
>>> It's my first question so, nice to meet you!
>>>
>>> I'm writing new dissector (plugin).
>>> I want to change the time of the packet.
>>> I tried to change pinfo->fd->rel_ts.secs and pinfo->fd->rel_ts.nsecs. It
>>> looks like I did it BUT, after sorting, not all packets are in the exact
>>> place.
>>>
>>> Do you have an example, idea or any recommendation?
>>>
>>> Thanks,
>>> Natalie.
>>>
>>>
>>> ___________________________________________________________________________
>>> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>>> Archives:    http://www.wireshark.org/lists/wireshark-dev
>>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>>>
>>> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe